Responsible Vulnerability Disclosure Policy
The safety of our customers' data, as well as the un-interrupted functionality of our platform is of the highest concerns to Morpher. Despite our regular audits, code reviews, and security checks, we are always happy to hear from the investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers.
This page aims to define a methodology by which we, the Morpher Team, can work with you, the security researcher, to improve our online security.
We are interested in all security issues you find, and we're happy to provide a bounty for specific critical bugs (depending on the severity).
We want to hear about every new (unreported) vulnerability that is considered “critical” and affects Morpher systems. Our systems include morpher.com, subdomains, and the Morpher Protocol. Examples of this include:
There are also many "non-critical" vulnerabilities we still want to hear about if you discover them. Often this is when best-practices aren't being followed such as:
We will generally not consider investigating things that are out of our control such as:
The following vulnerabilities are explicitly not included in the bug bounty program and will not be responded to:
Reason: We are not in the position to address and further fix those vulnerabilities, as they do not occur within our services.
Reason: Infrastructure information leakage occurs through our third party providers, such as AWS and others.
Any bugs you experience in the app, that are not "critical", should be shared with email@example.com instead.
We absolutely believe that great security research should be rewarded. Our reward structure is fluid, there's no lower or upper limit. It strictly depends on the severity of the vulnerability. More dangerous bugs command greater gratitude and higher rewards.
If you discover a vulnerability in our systems, please email firstname.lastname@example.org.
Please include as much detail as possible. Depending on the complexity, it would be helpful to understand how to reproduce it, and what systems are involved. A quick guide or screencast is recommended.
If you report a vulnerability that our team is not yet aware of, we’ll evaluate the severity and inform you within 1 week if it's eligible for a bug bounty.
Below are our requirements for how proper security research and reporting should be conducted:
In general, any action taken by you, the security researcher, should be limited to tests and sharing the information with us.